False Positive: Suspicious File Modification' generated by XDR Agent - Module Anti-Ransomware Protection

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

False Positive: Suspicious File Modification' generated by XDR Agent - Module Anti-Ransomware Protection

L1 Bithead

Hi we see a problem with a powershell Script we are using to clean up Profiles on some specific Remote Session Host Servers.

It will be blocked by Cortex XDR Pro and so I want to make an Exception for this.

 

Unfortunately it seems only possible to do an Alert Exception for this and so it will allow the Initiator CGO "Powershell.exe"

for the Ransomware Module in General, which seems to be a bit to dangerous for me.

 

I didn't found anything to allow just the Powershell Script + Path + Systemname (for example) instead of powershell.exe.

You can edit very granular Exclusions but it seems to be not possible to do the same for exceptions, or?

Is there maybe something other, I can do, to allow the Script without giving any powershell script free to run?

 

Kind Regards

Marcus

6 REPLIES 6

L5 Sessionator

Hi @Rindsland, your question seems to be similar to this. You can create a Malware Profile (Step 3, sub-step 3) allowing the PS script (full path) to be exempted from analysis and associate it with a policy that is applied to the selected set of servers.

 

If this works for your case, please let us know if it worked, and accept the response as a solution for others to refer to and follow.

L1 Bithead

Hi @bbarmanroy , it comes from Module Anti-Ransomware Protection, so I am not sure, if it really helps here, but I will give it a try.

Looks for me that the Anti-Ransomware Modul doesn't have really a exception, or?

 

I am also aware that I also can stop the Modul completely via Malware Profile on our Remote Session Host Servers, but I think you will also agree, that this not a good idea.

Anyway thank you for your Input and trying to help for finding a Solution for this.

 

Best regards

Marcus

Hi @Rindsland the Powershell script that you're trying to execute is vetted and trusted within your organization, if I understand correctly. If Cortex XDR is flagging it as a ransomware and preventing it from executing, that is because the script possibly has some actions that are similar in nature to a ransomware. Which is good - it is a sign that you're running the Ransomware module protection in Block mode!

 

Coming back to your need, what I am recommending is for you to create an Exception only for that trusted script, and apply it to only those set of servers. No other modules or protections are being disabled, for anything else that is running in your organization.

 

The recommendation is:

1. create a copy of your existing Malware profile that is currently applied to those servers.

2. Edit the new Malware profile to create an exception for the trusted powershell script.

3. Create a new policy that will apply the Malware profile to the specific set of servers.

 

Hope this clarifies my recommendation.

@bbarmanroy Where? I don't see anything under this module. 

eumbach_0-1674661972975.png

 

L5 Sessionator

Hey @eumbach , you'll need to perform the action under PE and DLL examination (step 3c) and see if that meets your requirements.

That's a directory not a CGO. 

  • 6172 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!